Introduction

This article has been mirrored from the Parallels Knowledge Base as a courtesy to our DV server customers. As they are the authoritative source of the information covered in this article, we encourage you to check their original article. Keep in mind that this content is subject to change.

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

Instructions

TIP:

These instructions are for the DV server running Plesk 11 or above. If you are on a DV 4.0 and are running an earlier version of Plesk, please see this article for upgrade information: How do I upgrade Plesk?

First of all, make sure that all domains have Mail to nonexistent user set to Reject.

Log into the Plesk Control Panel for your domain.

Click on the Mail tab at the top.

Next, click on Change Settings.

Select Reject and click the OK button.

Next, you'll need to determine if your server is using qmail or Postfix. To do so, you can run the following SSH command:

If you're running Qmail, you'll want the (dv) 4.0 version of this article. Scroll up and select the (dv) 4.0 tab. Otherwise, continue on!If you're running Postfix, you'll want the DV version of this article. Scroll up and select the DV tab. Otherwise, continue on!

Next, you'll want to check how many messages there are in the qmail queue with the following SSH command:

If the queue has a large number of messages waiting to be delivered and they cannot be accounted for, it's likely that you have a spam problem. At this point, you will need to determine where it's coming from.

The first step is to have a look at your mail log, so you can see what's being sent out. You can use the following SSH command to view all the mail sent on a specific date. This example would show the 11AM hour for Jan 15th:

cat /usr/local/psa/var/log/maillog* | awk '/Jan 15 11:*/'

One of the first lines of each message log should contain a line similar to the following:

In this line, look for the "uid=XXXXX""invoked by uid 10000" portion. That number indicates the 'user' on the server which invoked this message. A user in this case can refer to the mail server, if it is sent by an individual email address; the webserver, if it is sent by a script; or another component of your server.

You can cross-reference this against the /etc/passwd file to determine what component the uid corresponds to.

For example, you could run the following command, where '10000' is the uid you're searching for:

grep 10000 /etc/passwd

If the uid you've searched for corresponds to a mail service, like Postfix, Qmail, or an SMTP service, then it is being sent from an actual mail user rather than a script. You can find what user sent most of the messages with the command below. Note that 'SMTP authorization' should be enabled on the server to see these records:

With this information, you should be able to make an educated decision about what user is compromised, if any. Make sure this user's password is reset and that they are using a strong password.

If the uid you've searched for corresponds to the Apache service (usually uid 48) or a Plesk user (looks like 'example:x:10001:503::/var/www/vhosts/example.com:/bin/false'), then the messages are most likely being sent from a PHP script. You will need to determine which script is doing this. Keep in mind, there may be spam coming from multiple scripts.

To start, list the full contents of the mail queue, using the following command:

postqueue -p

qmHandle -l

From the queue, select a message you believe to be spam. Locate the message ID. This will be the first item on each line. (e.g. "376892D66410644640") View the message's headers by running the following command, replacing the example message ID with the one you have selected from your queue:

postcat -q 376892D664

qmHandle -m"10644640"

In the resulting message headers (at the top of the message), look for a line beginning with "X-PHP-Originating-Script". Example:

X-PHP-Originating-Script: 48:menu21.php

In the above example, we can see that the message is coming from a file called â€œmenu21.php". To determine the location of this file, you can use the 'find' command. Example:

find / -type f -name menu21.php

This command will give us the location of this script within the file system. From here, you can delete the script, quarantine it, or clean it, based on the contents and if you determine the message to be legitimate or spam. Use your own judgement in this regard.

If you determine that the source of the spam is a compromised file, please see the next section for additional information.

If you determine that your server is compromised

If, by following the above steps, you determine that the spam is coming from a compromised or malicious script or file, please be aware of the following:

This script did not get there by itself. If your server contains compromised files, then there is a vulnerability you will need to address. For more information on this, please see the following resource: